{
  "name": "Introducing ToyMaker",
  "slug": "introducing-toymaker",
  "description": "The initial access broker (IAB), whom Talos calls \u201cToyMaker\u201d and assesses with medium confidence is a financially motivated threat actor, exploits vulnerable systems exposed to the internet. They deploy their custom-made backdoor we call \u201cLAGTOY\u201d and extract credentials from the victim enterprise. LAGTOY can be used to create reverse shells and execute commands on infected endpoints.",
  "published": "2025-04-23T20:12:59+00:00",
  "created_at": "2025-04-23T20:12:59+00:00",
  "modified_at": "2025-04-23T20:56:50+00:00",
  "created_at_opencti": "2025-04-23T20:12:59+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-04-23",
    "anydesk",
    "bugsleep",
    "cactus",
    "capture",
    "file transfer",
    "holerun",
    "impacket",
    "initial access broker",
    "lagtoy",
    "magnet ram",
    "metasploit",
    "persistence",
    "powershell",
    "ransomware",
    "ssh",
    "toymaker",
    "winscp"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "51.81.42.234"
      },
      {
        "id": "",
        "name": "39.106.141.68"
      },
      {
        "id": "",
        "name": "47.117.165.166"
      },
      {
        "id": "",
        "name": "209.141.43.37"
      },
      {
        "id": "",
        "name": "194.156.98.155"
      },
      {
        "id": "",
        "name": "178.175.134.52"
      },
      {
        "id": "",
        "name": "162.33.178.196"
      },
      {
        "id": "",
        "name": "162.33.177.56"
      },
      {
        "id": "",
        "name": "158.247.211.51"
      },
      {
        "id": "",
        "name": "149.102.243.100"
      },
      {
        "id": "",
        "name": "103.199.16.92"
      },
      {
        "id": "",
        "name": "75.127.0.235"
      },
      {
        "id": "",
        "name": "64.52.80.252"
      },
      {
        "id": "",
        "name": "206.188.196.20"
      },
      {
        "id": "",
        "name": "195.123.240.2"
      },
      {
        "id": "",
        "name": "fdf977f0c20e7f42dd620db42d20c561208f85684d3c9efd12499a3549be3826"
      },
      {
        "id": "",
        "name": "c1bd624e83382668939535d47082c0a6de1981ef2194bb4272b62ecc7be1ff6b"
      },
      {
        "id": "",
        "name": "70077fde6c5fc5e4d607c75ff5312cc2fdf61ea08cae75f162d30fa7475880de"
      },
      {
        "id": "",
        "name": "5831b09c93f305e7d0a49d4936478fac3890b97e065141f82cda9a0d75b1066d"
      },
      {
        "id": "",
        "name": "0a367cc7e7e297248fad57e27f83316b7606788db9468f59031fed811cfe4867"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:cc5d3a15c15b5c00",
        "name": "LAGTOY",
        "slug": "lagtoy"
      },
      {
        "id": "legacy:malware:c3ee75fbaae48de2",
        "name": "Cactus",
        "slug": "cactus"
      }
    ],
    "attack_patterns": [
      {
        "id": "fc699aef-8931-4a79-8f79-9651be9abd50",
        "name": "T1021"
      },
      {
        "id": "a7262c61-4567-4a00-8cec-aae6264234a9",
        "name": "T1218"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "bb20a9e1-f4f6-459d-94f4-470c6867dc2d",
        "name": "T1053"
      },
      {
        "id": "fcd96dc0-500e-4354-bd97-5c65718a9004",
        "name": "T1562"
      },
      {
        "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221",
        "name": "T1059"
      }
    ]
  },
  "external_refs": [
    "https://blog.talosintelligence.com/introducing-toymaker-an-initial-access-broker/",
    "https://otx.alienvault.com/pulse/680965ec5fefc9e20eb4bef2"
  ]
}